The Public Key Infrastructure (PKI) is a critical component of cyber security systems today. Many widely deployed cyber security regimes use PKI including Transport Layer Security (TLS) and IP Security (IPsec).
The TLS protocol, as defined by RFC 5246 is a standard for providing a secure encrypted communications channel at the socket layer. The TLS standard is governed by the IETF and codified in several RFCs. The TLS protocol has been widely adopted and is used for ecommerce, SSL VPNs and many other applications where data encryption at the session layer is desired.
The IPsec protocol, as defined by a number of Internet RFCs is a standard for providing a secure encrypted communications channel at the network layer. The IPsec standard is governed by the IETF and codified in several RFCs. The IPsec protocol has been widely adopted and is used for VPNs where data encryption at the network layer is desired. The IPsec protocol uses IKE (Internet Key Exchange) to set up a security association (SA) in the IPsec protocol suite.
Both the TLS and IPsec protocols use a Public Key Infrastructure to establish a secure session. The role of a PKI is to create digital identities that can be trusted. PKI uses certificates to provide the link between an entity's identity and the public key (and private key) belonging to the entity. Additional certificates are used to verify the identity of an entity's certificate until a trusted certificate is reached.
During the secure session initialization and establishment, both protocols provides for the negotiation of key and encryption options. The protocols also provides the option to periodically renegotiate encryption keys.
When these protocols are used with modern encryption algorithms such as AES and used with encryption keys of sufficient strength, they are nearly unbreakable, even when using large numbers of computing resources. But these protocols are not perfect—both protocols are vulnerable to various forms of man-in-the-middle (MITM) attacks during session establishment and key renegotiation. These attacks typically allow an attacker to substitute one public key for another without being detected. This certificate substitution enables the attacker to decrypt the supposedly secure encrypted communication.
There are several different attack vectors that can be used to compromise a PKI certificate which in turn compromise a secured channel. These include compromising a Certificate Authority, compromising the Certificate Repository, and using weaknesses in the message authentication codes (MAC) to allow the modification of a certificate without invalidating the signature.
These attacks are more than theoretical as new attacks are periodically published. In addition to the published attacks, it is expected that there are additional, unpublished attacks using similar approaches.
To reduce the attack surface and to shrink the authentication gap that exists in the TLS and IPsec protocols when used with PKI, there are also additional systemic and ecosystem requirements that must be satisfied for a viable solution. These additional requirements are as follows:
No modification to existing security protocols
The TLS and IPsec protocols, among others, are well established and have been widely adopted in both government and in private industry. Any viable solution must interoperate with the installed base of equipment and be able to take full advantage of the various ecosystem components including FIPS certified libraries and encryption accelerators that are available today.
No restrictions to negotiated options available on existing security protocols—As various deployments of TLS and IPsec solutions must comply with the requirements of the system for which they have been deployed. These individual deployments may require the use or disuse of certain options. Any viable solution must not place restrictions upon the use of available options beyond that which are already imposed by the individual deployment.
Must not Restrict the Future Definition of Options and Enhancements to Security Protocols
The TLS and IPsec protocols have gone through multiple revisions and improvements in its history. They will undoubtedly undergo additional revisions and improvements in the future. Any viable solution must not place restrictions on the future evolution of these protocols.
No Modification to PKI Standards
The PKI standards are well established and have been widely adopted in both government and in private industry. Any viable solution must be compatible with the current PKI standards and must interoperate with certificates and x.509 based smartcards that have already been issued.
Must not Restrict the Future Definition of Options and Enhancements to PKI Standards
The PKI standards have gone through multiple revisions and improvements in its history. They will undoubtedly undergo additional revisions and improvements in the future. Any viable solution must not place restrictions on the future evolution of the PKI standards.
No Changes to Deployed Applications
A viable solution must be able to be implemented without requiring the redesign or re-engineering of the application that the solution is designed to protect.
Given the above scenario and requirements, it is therefore desirable to provide a solution to these attacks in such a way as to eliminate a complete class of attacks instead of creating individual responses to each separate incident. The development of such a mechanism would constitute a major technological advance, and would satisfy long felt needs and aspirations in the computer networking and cyber security industries.